Discussion:
[Dnsmasq-discuss] feature request: ipset options
Leonardo Rodrigues
2018-04-23 20:15:10 UTC
Permalink
    I'm running dnsmasq with ipset support in some VERY low memory
machines (those all-in-one boards), and RAM is really my main concern
here. I'm actually using some 'ipset' rules on dnsmasq.conf to have some
domains IPs on an ipset list and, thus, being able to allow/deny them
with iptables.

    Some of the sets are REALLY large (10k+ entries).

    I was thinking on having a dnsmasq option for, instead of adding
the full IP to the set, adding its /24 network for example (simple
stripping last digit and adding '.0/24'). In that case, the sets would
be significantly smaller. I know with this i'll pottentially allowing
traffic i'm not looking for, by assuming th domain holds the entire /24
network. But i'm really concerned with RAM usage, and i'm willing to
have that risk.

    Would it be hard to implement something like that in dnsmasq ?
Would this be useful for any one else ?
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
***@solutti.com.br
My SPAMTRAP, do not email it
Simon Kelley
2018-04-23 21:39:34 UTC
Permalink
I'm no ipset expert, but it looks to me like you can get this effect
anyway, by creating the ipset as type hash:ip and specifying a netmask.


http://ipset.netfilter.org/ipset.man.html

hash:ip
The hash:ip set type uses a hash to store IP host addresses (default) or
network addresses. Zero valued IP address cannot be stored in a hash:ip
type of set.
CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [
maxelem value ] [ netmask cidr ] [ timeout value ] [ counters ] [
comment ] [ skbinfo ]

ADD-ENTRY := ipaddr

ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [
comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]

DEL-ENTRY := ipaddr

TEST-ENTRY := ipaddr

Optional create options:

netmask cidr
When the optional netmask parameter specified, network addresses will be
stored in the set instead of IP host addresses. The cidr prefix value
must be between 1-32 for IPv4 and between 1-128 for IPv6. An IP address
will be in the set if the network address, which is resulted by masking
the address with the netmask, can be found in the set. Examples:
ipset create foo hash:ip netmask 30
ipset add foo 192.168.1.0/24
ipset test foo 192.168.1.2


Cheers,

Simon.
Post by Leonardo Rodrigues
    I'm running dnsmasq with ipset support in some VERY low memory
(those all-in-one boards), and RAM is really my main concern
Post by Leonardo Rodrigues
here. I'm actually using some 'ipset' rules on dnsmasq.conf to have some
domains IPs on an ipset list and, thus, being able to allow/deny them
with iptables.
    Some of the sets are REALLY large (10k+ entries).
    I was thinking on having a dnsmasq option for, instead of adding the
full IP to the set, adding its /24 network for example (simple stripping
last digit and adding '.0/24'). In that case, the sets would be
significantly smaller. I know with this i'll pottentially allowing
traffic i'm not looking for, by assuming th domain holds the entire /24
network. But i'm really concerned with RAM usage, and i'm willing to
have that risk.
    Would it be hard to implement something like that in dnsmasq ? Would
this be useful for any one else ?
Leonardo Rodrigues
2018-04-23 22:28:48 UTC
Permalink
    That's EXACTLY what i was looking for ... i wasn't aware of that
option, and really setting netmask to 24 seems to acchieve exactly what
i need.

    Thanks !!!
Post by Simon Kelley
I'm no ipset expert, but it looks to me like you can get this effect
anyway, by creating the ipset as type hash:ip and specifying a netmask.
http://ipset.netfilter.org/ipset.man.html
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
***@solutti.com.br
My SPAMTRAP, do not email it
Eliezer Croitoru
2018-04-24 03:23:14 UTC
Permalink
Hey Leondaro,

Can you share your setup details?
It's kind of interest me.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: ***@ngtech.co.il



-----Original Message-----
From: Dnsmasq-discuss <dnsmasq-discuss-***@lists.thekelleys.org.uk> On Behalf Of Leonardo Rodrigues
Sent: Monday, April 23, 2018 23:15
To: dnsmasq-***@lists.thekelleys.org.uk
Subject: [Dnsmasq-discuss] feature request: ipset options


I'm running dnsmasq with ipset support in some VERY low memory machines (those all-in-one boards), and RAM is really my main concern here. I'm actually using some 'ipset' rules on dnsmasq.conf to have some domains IPs on an ipset list and, thus, being able to allow/deny them with iptables.

Some of the sets are REALLY large (10k+ entries).

I was thinking on having a dnsmasq option for, instead of adding the full IP to the set, adding its /24 network for example (simple stripping last digit and adding '.0/24'). In that case, the sets would be significantly smaller. I know with this i'll pottentially allowing traffic i'm not looking for, by assuming th domain holds the entire /24 network. But i'm really concerned with RAM usage, and i'm willing to have that risk.

Would it be hard to implement something like that in dnsmasq ?
Would this be useful for any one else ?
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
***@solutti.com.br
My SPAMTRAP, do not email it




_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-***@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Leonardo Rodrigues
2018-04-26 19:20:04 UTC
Permalink
    While i can't give you exact configurations, i can say it's a
simple configuration on dnsmasq feeding some ipset sets based on domains
(plain simple configuration) and those sets being used by iptables rules.

    While the set sizes simply doesn't matter when you have Gbs of RAM,
when trying to do that with 32 MB of RAM, things chance a little. So
that's because i'm trying to squeeze each KB of used memory by reducing
the ipset set sizes by IP aggregation.
Post by Eliezer Croitoru
Hey Leondaro,
Can you share your setup details?
It's kind of interest me.
-----Original Message-----
Sent: Monday, April 23, 2018 23:15
Subject: [Dnsmasq-discuss] feature request: ipset options
I'm running dnsmasq with ipset support in some VERY low memory machines (those all-in-one boards), and RAM is really my main concern here. I'm actually using some 'ipset' rules on dnsmasq.conf to have some domains IPs on an ipset list and, thus, being able to allow/deny them with iptables.
Some of the sets are REALLY large (10k+ entries).
I was thinking on having a dnsmasq option for, instead of adding the full IP to the set, adding its /24 network for example (simple stripping last digit and adding '.0/24'). In that case, the sets would be significantly smaller. I know with this i'll pottentially allowing traffic i'm not looking for, by assuming th domain holds the entire /24 network. But i'm really concerned with RAM usage, and i'm willing to have that risk.
Would it be hard to implement something like that in dnsmasq ?
Would this be useful for any one else ?
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
***@solutti.com.br
My SPAMTRAP, do not email it
Loading...